Wednesday, September 9, 2015

Blackberry and Security


I recently found a nasty SQL Injection bug that enabled me to view personal information of Blackberry's customers and employees that was quite similar to the simple hack that Weev was incarcerated for. Rather than dump the data, or write a script to hammer away at it, I disclosed the bug and Blackberry gave me credit for it:

http://ca.blackberry.com/enterprise/products/incident-response-team.html


I have made similar disclosures in the past to other companies, all of which didn't even seem to care about the bugs. Blackberry's incident response team, however promptly emailed me and kept up to communication throughout the process,

[BIRT2015-00446] Vulnerability Report

Hi Douglas,
Hope you are doing well. I'm happy to report the issue you reported to BlackBerry Security has been resolved. BlackBerry Security appreciates you responsibly disclosing this issue to us. On our external website, we list researchers that report security issues under our acknowledgments section, http://ca.blackberry.com/enterprise/products/incident-response-team.html If you would like to have your name added, and it has not already been listed once this calendar year, please send me the name and either Twitter or company name you would like added. As per BlackBerry Security Response's policy, you will see your name posted on our website for the last Friday of the month.

Thanks again for responsibly disclosing this issue.
BlackBerry Security Response

I have always been a big fan of Blackberry. If you're a fan too, you can check out my design gallery of Blackberry wallpapers!

~Douglas

No comments:

Post a Comment